How to audit API step by step

Martyna Wiśnik
Mar 29, 2021 7 minutes read
Featured post thumbnail

API is an important software intermediary that enables the communication between two applications. It provides software flexibility, simplifies the designing process, and eases the management. When it comes to the software ecosystem, everything needs to keep up with the highest standards, because a well-planned ecosystem gives high comfort of using the services. The most effective way to recommend improvements is strong expertise. Read on to know how we conducted API and documentation audit step by step.

API and documentation audit

At first we decided to carry on the audit in a blackbox way of testing. It means that we didn’t have any access to the code or internal documentation. We based the audit mostly on the materials available on the website. At this stage, it was impossible to estimate the percentage coverage of our audit versus all of the API methods. Later, by gaining source code access, we were able to effectively prepare specifications of all controllers, APIs, and methods, as well as an audit plan. We classified errors and problems in the following categories:

  • missing information
  • bad documentation structure
  • API usability
  • design not following standards
  • mistakes and misspellings
  • backend error

The audit team found approximately 21 issues that are listed in the table below.

Category - number of bugs: Missing information - 8; Bad documentation structure - 4; API usability - 5; Design against standards - 2; Mistakes and misspellings - 1; Backend errors - 1; Total - 21.

The last factor we paid attention to while conducting the audit was the overall impression of developers who worked with the API.
API audit: step by step
The most common conceptual visualization of the CI/CD process (also during API building) looks like this one below:

PLAN - business analysis, design and planning of new API functionalities; CODE - new functions are coded on the basis of the project; BUILD - unit testing and installation package building; TEST - acceptance testing / e2e and any other Q&A processes; DEPLOY - package installation on the environment; USER DEPLOY - publication of materials for users, i.e. documentation, help files, articles, tutorials; OPERATE - operational use of the API integrated by external programmers; MONITORING - API monitoring.

The disadvantage of this solution is the lack of a seamless transition from the API project and new functions to automatic tests, or the generation of documentation, examples in different languages, etc. Additionally, launching an interactive and very extensive documentation without automatic connection with the project or code will increase its costs. Installing each version will require a costly identification of potential code snippets that need to be changed. Therefore, we recommend the following project approach.

Step 1: API source code analysis, internal documentation, and API audit plan execution 

The API audit plan contained the following content:

  • Preparation of an API business and system analysis document and related products (documentation, examples, API notation).
  • Preparation of a semantic API description in the so-called high-level API description language. Note that in addition to the API specification, this task will also include the edition and transformation of static documentation items.
  • Selection of available tools (or creation of dedicated scripts) and their configuration to enable the connection with the API specification (see above) and CI/CD in such a way as to automate code/specification compliance validation, generating interactive documentation and automated tests. When the code changes, documentation changes as well, and automatic tests are carried out to demonstrate the compliance of documentation and API.

Below are the modifications to the CI/CD process with new elements that automate validation, tests, and creating interactive documentation. These actions not only improve and tighten up the process – automation affects the pace of implementing new features.

PLAN - business analysis, design and planning of new API functionalities; API DESCRIBE - semantic API description in meta language (symbolic); CODE - new functions are coded on the basis of the project; BUILD - unit testing and installation package building; compliance tests of the semantic API description with API services; TEST - acceptance testing / e2e and any other Q&A processes; automatic API tests; DEPLOY - package installation on the environment; USER DEPLOY - publication of materials for users, i.e. documentation, help files, articles, tutorials; generating documentation with examples and interactive code; OPERATE - operational use of the API integrated by external programmers; MONITORING - API monitoring;

Step 2: API improvement

In the second step, we refer to the use of tools that change the input and output definitions at the parameter name level without changing the business logic. There are 2 possibilities: target or transition version. We can implement API improvement at the code level (target) or at the additional layer level (translator/dispatcher).

Step 3: Developer Center

At this stage, we created a detailed project (UX, technical SEO analysis) of a coherent Developer Center. Then we built a new Developer Center.

How to make API testing easier

We chose 5 methods for the tests and described them using the meta language. In accordance with the chosen concept, we will be able to include the documentation and API compliance validation, automatic tests or interactive documentation in the CI/CD process. For this purpose, we used:

  • API Blueprint (high level API description language for web API’s),
  • Apiary (as an API Blueprint online editor to create interactive documentation),
  • Dredd for testing (a language-agnostic command-line tool for validating API description document against backend implementation of the API).
Screenshot that shows technical documentation about API services.

1. API Blueprint

API Blueprint is a high level language for describing web APIs. The syntax is a combination of Markdown and MSON, and the files are saved with a .apib extension. Markdown is a lightweight text formatting syntax, and MSON is its extension used for describing data objects. The goal of the API Blueprint format is to enable the design-first philosophy  for REST APIs, however, the format works just as well for documenting existing APIs.

2. Interactive documentation (Apiary)

Apiary is an interesting tool that allows us to easily and quickly design an API. While waiting for an endpoint for our application, we can prepare and use appropriate actions ourselves and our development won’t stand still. With this tool, we can simply exchange knowledge within the team, present the requirements for the expected server responses, and prepare interactive documentation. This allows us to easily show the other part of the team how our endpoint should work. The only downside of the free version is the ever-growing project document, where scrolling through our Blueprint can be troublesome with more complicated actions. Nevertheless, we’re happy to use this tool for smaller purposes and encourage everyone to familiarize yourselves with it.

The screenshot below presents the main view of the documentation.

The screenshot presents the main view of the documentation.

The panel on the left is a Table of Contents, which includes 3 chapters:

  • Introduction (contains quickstart),
  • Reference (API),
  • Data Structures (object description).

The Introduction section contains the information about how to set up everything to be able to use API – for example, how to authenticate or register to the system. The Reference section contains actual definitions of all the resources available in the API. Each object has its own section which includes a set of links to each method definition. The Data Structures section contains a list of all objects that are part of the API and their definitions, like parameters and types.

The screenshot presents the Introduction section that contains the information how to set up everything to be able to use the API.

The screenshot below presents the main documentation view with an opened call method details and Try console panel. It shows the URL, URI parameters with description, headers for request and headers, example body, and scheme for response.

The screenshot presents the main documentation view with an opened call method details and Try console panel. It shows the URL, URI parameters with description, headers for request and headers, example body, and scheme for response.

The screenshot below presents a call method details with a possibility to generate code examples (for the use in your application) in many popular programming languages. This helps to facilitate the process of integrating any application or system with the API platform via the API interface. Available languages are cURL, Java, JavaScript, Node.js, Perl, Python, PHP, Ruby, Go, C#, Visual Basic, Groovy, Objective-C, Swift.

The screenshot presents a call method details with a possibility to generate code examples (for the use in your application) in many popular programming languages.

The screenshot below presents the Try console panel which offers an opportunity to test API directly from the documentation. It allows us to put in custom parameters, header and body, and create fully customized request to the server. We can also call methods through mocked endpoints, which allows us to inspect all the traffic around the API.

The screenshot presents the Try console panel which offers an opportunity to test API directly from the documentation.

3. Automated API tests (Dredd)

Dredd reads API description and step by step validates whether API implementation replies with responses as they are described in the documentation.

Dredd reads API description and step by step validates whether API implementation replies with responses as they are described in the documentation.

The screenshot below present Dredd test results in a more readable form. They contain reports for all method calls with errors (if they occurred), any inconsistencies in the request or responses, and other valuable information which can help investigate problems with the API. Dredd can be also connected with any CI/CD tool which runs tests automatically when any changes are applied to the code.

The screenshot presents the Dredd test results in a more readable form.

API audit: the most important

Documentation is an essential part of any API. Without it, it is extremely difficult to find out what endpoints are available, what they are for and what parameters we can use. Such interactive documentation allows us not only to view the available endpoints, their parameters or schemes of returned values but also allows us to try them out. This is useful not only for finding the certain resource but also for calling it on request, which often turns out to be useful during development.

If you’d like to learn more about API audit, API Services or DevOps processes, check our website or read our blog:

  1. API Services: short guide for beginners
  2. Pros and cons of hosting CI/CD DevOps tools in cloud
  3. 5 tips for a well-prepared API

Learn more on topic

Post thumbnail

API services – short guide for beginners
Post thumbnail

How we built a mobile-first Jira app using the 80/20 rule
Post thumbnail

Here’s Why You Should Be Coding with Atlassian Tools

Martyna Wiśnik

More from this author